Security and Data Information

Security & privacy

Connection security

All data sent to or from SETLS is protected by TLS 1.2 or above. This provides the same level of security as online banking, government and other sites.

Authentication & password management

SETLS uses form-based authentication where the password is sent as a POST parameter. The password is transmitted securely using TLS.

Passwords are stored in the database as a salted hash, and cannot be retrieved by the SETLS team. Passwords can be reset by any user with administrative permissions by

After checking the password, SETLS creates a cryptographically-secure session cookie. This is used to identify the user when they return to SETLS using the same device, so they do not need to log in again.

A user with administrative permissions can remove a logged-in session, or reset the user's password. Both actions will require the user to enter their password the next time they access SETLS.

Email configuration

SETLS sends emails to members or toy library staff for a variety of reasons, including:

A full list of the automatic emails can be found in the demonstration system.

Emails are sent with a "from" address of noreply@<toylibrary>.setls.com.au. The "reply to" address can be set from the settings page.

Emails from SETLS are sent via Amazon Simple Email Services (SES). You do not need to provide SETLS with access to your mail server or a relay.

Sensitive information

SETLS can be used to record information about members that may be considered sensitive. This information includes:

Member details

Name

Required


Email

Optional, required for online access


Mobile phone

Optional, required for SMS

Home address

Street, suburb and phone

Optional

Alternate contact

Name, address and phone

Optional

Identity Drivers license number Optional

The following additional fields can be enabled from the settings page.

Member details

Date of birth
Healthcare card (checkbox)

Ethnicity

Language

Disability

Children

Name

Date of birth

Gender

Organisations (schools)

Name

Additional information related to library operations, such as membership type, are also recorded. These can be seen in the demonstration system.

Financial transactions

SETLS can be used to manually record member charges and payments, including membership fees and penalties.

SETLS also supports online payment of membership fees using PayPal. This requires creation of a PayPal account.

The SETLS team are currently investigating integration with Square for online and in-person payments.

Data validation

SETLS uses model-driven design and all input fields are:

Many scenarios for business rule checking are covered by workflow operations rather than manual data entry. For example, when loaning an item, the loan and due dates are derived automatically instead of being entered manually.

Model-driven design allows business rules to be centralised in the model rather than being distributed throughout the user interface. Examples include:

SETLS servers

The following service providers are used by SETLS:

Feature Provider Location
Web application Amazon Sydney, Australia
Database Amazon Sydney, Australia
Email Amazon Sydney, Australia
SMS Amazon Sydney, Australia

The list of IP address ranges currently used by the Amazon is available from AWS IP address ranges - AWS General Reference (amazon.com)

The SETLS database is not currently protected by encryption at rest. 

What to do in case of suspected data breach

In the case of suspected data breaches ie a committee members phone is stolen, or there is a break in and your laptop (which is left logged in) is stolen, please follow the below steps to help secure your data and email admin@setls.com.au

LOG OUT THE USER (pictured)

If you are confident in which user/s are logged in/saved on the devices, go to their account and select login history. You have the option of logging out specific sessions, or logging all sessions out. If it is your own account that has been compromised, logging all out will boot you out, so you may want to have another committee member on standby to do the next steps.

REMOVE ADMIN PRIVILEGES

Go to Profile, edit, and change Security Level to normal. This means that even if the person manages to log in, they won't be able to access anything other than that account's details.

RESET PASSWORD
Go to Username/Password, and generate a new password. This means that the password saved on the device will no longer work.

Note: I know some toy libraries also leave their emails logged in on their laptops, so there is a chance that if you email out the new password it will be received by the thief, which is why its so important to revoke those admin privileges.

 

image-1641018913281.jpg

Release Notes

2025-02-16

2024-12-30

2024-12-15

2024-11-06

2024-09-22

2024-07-09

2024-06-26

2024-06-13

2024-06-06

2024-05-26

2024-05-11 release applied to all sites. Issues with ruby/rails bump, so rolled that back.

2024-05-11

(Dev release only)

2024-04-28

2024-03-14

2024-03-10

2024-03-04

2024-02-29

2024-02-25

2024-01-24

2024-01-15

2024-01-09

2024-01-07

2023-12-24

2023-11-28

2023-11-16

2023-11-13

2023-10-07

2023-10-02

2023-09-25

2023-09-13

2023-09-09

2023-09-06

2023-08-31

2023-08-30

2023-08-25

2023-08-24

2023-08-23

2023-08-21

2023-08-14

2023-08-13

2023-08-06

2023-07-30

2023-07-22

2023-07-16

2023-07-08

2023-06-25

2023-06-04

2023-05-21

2023-04-24

2023-04-23

2023-04-11

2023-04-10

2023-03-01

2023-02-09

2023-01-18

2023-01-07

2023-01-05

2022-12-29

2022-12-07

2022-11-27

2022-10-01

2022-08-11

2022-07-27

2022-07-26

2022-07-25

2022-07-23

2022-07-05

2022-07-04

2022-06-24

2022-06-18

2022-06-14

2022-06-06

2022-05-22

2022-05-19

2022-05-14

2022-05-09

2022-05-05

2022-04-27

2022-04-17

2022-04-03

2022-03-30

2022-03-09

2022-03-06

2022-02-26

2022-02-16

2022-02-13

2022-02-08

2022-01-25

2022-01-06

2021-12-27

2021-11-14

2021-11-05

2021-08-22

Set up Microsoft logins

If your organization uses Microsoft work or school accounts, these can be used to log into SETLS. To set this up, an administrator may need to follow the steps below.

Basic setup

  1. Sign into the Azure Portal
  2. Switch to the appropriate tenant using the 'Cog' button in the top right
  3. Open the Azure Active Directory service 
  4. Click Enterprise applications in the menu on the left
  5. Click SeTLS - Serious Toy Library Software
    • If SeTLS is not in the list, attempt to sign into SeTLS using your Microsoft account, then come back and refresh the page. You may need to use an account with one of the 'Application Administrator' or 'Cloud Application Administrator' roles.
  6. Click Properties in the menu on the left
    • Set Enabled for users to sign-in to Yes

When using Microsoft accounts, consent must be provided to the application. This can be done:

For more information, see Overview of user and admin consent - Microsoft Entra | Microsoft Learn.

  1. Follow steps 1-5 above to open SeTLS - Serious Toy Library Software
  2. Click Permissions in the menu on the left
  3. Click the Grant admin consent for <organisation> button
    • Log in with your Microsoft account if necessary
  4. Refresh the list to see the list of permissions

Self-service

  1. Follow steps 1-5 above to open SeTLS - Serious Toy Library Software
  2. Click Self-service in the menu on the left
  3. Set Allow users to request access to this application to Yes
  4. Click Select group and choose an AAD group
    • we recommend creating a dedicated group, for example "SETLS Users"
  5. Set Require approval before granting access to this application to Yes if needed

Self-service is subject to global settings found on the Consent and permissions page.

How Do Barcodes Work?

SeTLS can work with traditional "wedge" style barcode scanners, on any field that accepts input from a keyboard traditionally.
To use barcodes effectively for toys, turn on the "Toys use barcodes?" boolean in Toy library settings.
SeTLS will expect the value given by the barcode to match either the value in the toy's "Barcode" field, or if that is empty, it will default to the Toy's ID (the number on the toy itself, not the database ID). Using the "Barcode" field is of most use if you are using pre-made stickers or have values different to the Toy's ID for historical reason - keeping the Barcode field empty and letting it default to the Toy ID is the most stable option.

How do I get barcodes on my toys?

Some labels have Barcodes supported, and will generate the barcode when printed. Other options include specific barcode label makers, where you create barcodes for values you choose yourself, or barcode stickers with pre-created values. If using the barcode stickers, you will need to update each toy with the value on the sticker, and if the sticker is replaced, you will need to update the toy again.